Enabling SSL for AppServers
Enabling SSL on the AppServer involves the following steps:1 Set up OpenSSL environment on the AppServer.
2 Create the private key and certificate request.
3 Enable SSL for the QADSI and QADFin AppServers.
4 Generate the public key.
Setting OpenSSL on AppServer
1 Log in as root and run proenv.
$DLC/bin/proenv
2 Run the commands in the following order to create directories and files.
mkdir myssl
cd myssl
mkdir newcerts
touch index.txt
echo '01' > serial
echo '01' > crlnumber
cp $DLC/keys/policy/pscpki.cnf myssl.cnf
The commands create the myssl folder, which includes the newcerts folder and the files: index.txt, serial, crlnumber, and myssl.cnf.
3 Edit the myssl.cnf file as follows:
Change from | To |
database = $dir/index.txt # database index file. | database = ./index.txt # database index file. |
new_certs_dir = $dir/newcerts # default place for new certs. | new_certs_dir = ./newcerts # default place for new certs. |
serial = $dir/serial # Current serial number | serial = ./serial # Current serial number |
4 Run the following command to make the myssl.cnf file not readable:
chmod 0600 myssl.cnf
Creating Private Key and Certificate Request
1 Run the following command to create a private key:
pkiutil -keysize 2048 -newreq demoSSL
demoSSL is an example. You can specify your own alias name.
2 Set your password when prompted and then reenter it for verification.
3 Specify values for the following items when you are prompted:
• Country Name
• State or Province Name
• Locality Name
• Organization Name
• Organizational Unit Name
• Server DNS name
Ensure that you enter the Server DNS name and that the Server DNS name you entered is the same as the host configured in the SIAPI or FinAPI Connection Pool. You can leave some of the other items blank by entering a dot (.).
The system prompts:
You may now use the file /progress/dlc11/keys/requests/demoSSL.pk10 to request a new Digital Certificate from a CA Certificate Authority.
After you obtain the new Digital Certificate from the CA, use the -import command to insert the certificate into the KeyStore.
Note: If you are going to use the Digital Certificate from a Certificate Authority (CA), skip to step 11 to import the certificate. If you want to sign your certificate by yourself for test, follow step 4 through step 10.
4 Create the root certificate using the following command:
openssl req -config myssl.cnf -new -x509 -days 1001 -key $DLC/keys/requests/demoSSL.pk1 -out $DLC/keys/requests/rootCA.cer
5 Enter the password for demoSSL.pk1 when the system prompts you to. The password is the one you set in step 2.
6 Specify values for the following items when the system prompts you to:
• Country Name
• State or Province Name
• Locality Name
• Organization Name
• Organizational Unit Name
• Server DNS name
Ensure that you enter the Server DNS name and that the Server DNS name you entered is the same as the host configured in the SIAPI or FinAPI Connection Pool. You can leave some of the other items blank by entering a dot (.).
7 Create the digital certificate.
openssl ca -config myssl.cnf -cert $DLC/keys/requests/rootCA.cer -in $DLC/keys/requests/demoSSL.pk10 -keyfile $DLC/keys/requests/demoSSL.pk1 -days 365 -out $DLC/keys/requests/demoSSL.cer
8 Enter the password for demoSSL.pk1 when the system prompts you to. The password is the one you set in step 2.
9 The system prompts you to sign the certificate and update the database with the new entry. Enter y (yes) to confirm.
10 Run the commands in the following order to verify the signed digital certificate.
a openssl x509 -subject -issuer -enddate -noout -in $DLC/keys/requests/demoSSL.cer
b openssl x509 -in $DLC/keys/requests/demoSSL.cer -noout -text
c openssl verify -purpose sslserver -CAfile $DLC/keys/requests/rootCA.cer $DLC/keys/requests/demoSSL.cer
11 Import the signed digital certificate into the Progress KeyStore as a private key. Run the following command and enter the password when the system prompts you to.
pkiutil -import demoSSL $DLC/keys/requests/demoSSL.cer
This command creates a private key demoSSL.pem under the $DLC/keys folder. Do not delete the key. Otherwise, the AppServer cannot start in SSL mode.
12 Generate the key alias password for the AppServer. Run
genpassword -password [password]
Use the password that you set in step 2. The encoded password will be used for enabling SSL for the QADSI and QADFin AppServers.
Enabling SSL for AppServers
1 Open the ubroker.properties file from $DLC/properties.
2 Locate the section for the AppServer (for example, UBroker.AS.qadsi_AS and UBroker.AS.qadfin_AS) and add the following entries:
• sslEnable=1
• keyAlias=demoSSL
• keyAliasPassword=212a3b223c21 # Encoded Password
demoSSL and
212a3b223c21 are for example only. Use the keyAlias and encoded password that you got in
Creating Private Key and Certificate Request.
You can either use the same keyAlias for all the AppServer brokers or use a separate keyAlias for each AppServer broker. The SSL AppServer brokers that use the same keyAlias use the same private key; for example, $DLC/keys/demoSSL.pem.
3 Restart the AppServer broker and query the broker to see whether there are available AppServer agents for it.
Note: If you want to enable SSL for the existing Fin AppServer that is in use by multiple clients, ensure that all the clients (including CHUI and .NET UI) are also SSL-enabled. If you want to make the SSL-enabled Fin AppServer work with QXtend only, create a Fin AppServer for QXtend and enable SSL for it.
Generate the Public Key
1 Import the rootCA certificate into the Progress KeyStore as an X509 certificate to generate the public key. Run the following command:
certutil -import $DLC/keys/requests/rootCA.cer
2 Check whether the read-and-write permissions are right for the public key. Run the following command:
ls -ltr $DLC/certs/976f8f0c.0
976f8f0c.0 is the name of the public key file and varies with different keys.
The server and clients use the public key to authenticate each other. Make sure that you bundle the public key in the
psccerts.jar file and deploy the public key bundle to the
$DLC/certs folder of the ABL clients. QXtend Inbound is an Open Java client for the AppServer. For more information on how to enable SSL for Java clients, see
Enabling SSL for Java Clients of an AppServer.